I am analyzing my incoming connection log from my Linksys E1000 wireless router. [Bonus points if anyone can tell me how long these routers store logs because I can't figure it out anywhere, so I can't really correlate well.]

I have three entries. One is a known entry as it shows my friend's ISP and says the port that I have Mumble server configured on.

The other two entries are from unknown IPs. One resolves to a Serbian IP. The other one somewhere just as concerning. The destination port is 54876.

What am I seeing here? The only port I have forwarded in my router is for Mumble/Murmur. Isn't everything else implicit deny? What is port 54876 used for and is this scanning or what could this entry be?

The syntax in the entry is 'External IP' from wan to port 54876 is accepted

1 Answer
1

One on several possibilities is that it is just the result of an outgoing connect. You connect to port 80 on a web server(or any other port/server), but on your end the connecting port is randomly selected.

Logs on routers are usually very short lived, they usually have room for a few 100 or maybe a 1000 if your really lucky and that is it.

If you want to do some serious analyst you will have to find a compatible open source router firmware like Tomato or DD-WRT. Otherwise you probably won't be able to access the logs.

Large groups of bot nets scan ports and ips randomly to avoid being detected as port scans. In a year or so I have 62,000+ ip address attempt connect to different unused ports. I add 100 a day or so.

Wonder if even an advertisement on the web could show up in my router logs somehow? I don't know of accessing any web server (going to any website) that would resolve to that...but I suppose it's certainly possible and this sounds like a very logical explanation. I've since upgraded routers and am hoping the stock firmware does some decent logging. If not, I'll look into something like DD-WRT.
– shift_tabAug 15 '15 at 17:31

@shift_tab if you use whois on the 2 ip addresses who do they resolved to?
– cybernardAug 16 '15 at 5:49

I'll have to look back at my logs. One was in Serbia and I don't remember the other. I've upgraded wireless routers since first posting this question. I'm hoping the logging is a bit better. I have a feeling I'll be desiring more, so maybe I'll try out DD-WRT or some other open-source firmware.
– shift_tabAug 17 '15 at 14:39